On Thu, Dec 9, 2010 at 7:15 PM, Adam Barth <[email protected]> wrote: >>>> On Thu, Dec 9, 2010 at 11:41 AM, Philipp Serafin <[email protected]> wrote: >>>>> There are quite a number of older web forums that sanitize their HTML >>>>> using black lists and would not strip new attributes like "post-data". >>>>> For malicious users, it would be very easy to include e.g. <img >>>>> src="./do_post.php" post-data="thread_id=42&post_content=Go visit (some >>>>> spam URL)"> in their signature and have users doing involuntary posts by >>>>> simply viewing a thread. >>>> >>>> Indeed. You shouldn't be able to trigger POSTs from involuntary >>>> actions. They should always require some sort of user input, because >>>> there is simply *far* too much naive code out there that is vulnerable >>>> to CSRF. >>> >>> Unfortunately, the attacker can already trigger POSTs with involuntary >>> actions. That code is already vulnerable attack, sadly. >> >> Via scripting, yes, which is usually stripped out by sanitizers (or >> just plain doesn't work, like javascript urls in images). I don't >> believe there are any declarative ways to trigger involuntary POSTs, >> are there? > > The attacker can always make a giant invisible button that covers the > whole page that submits a form. Web sites can generate POST requests > without user intervention. Anyone who's using POST as a security > feature as far bigger troubles than this attribute.
Heh, agreed about that. But still, none of those are new POST-ing abilities that can be utilized by J. Random User on a message board with half-decent security. ~TJ
